Post navigation

Babysitting-booking app Sitter “temporarily” exposed the personal data of 93,000 account holders, according to a researcher who recently discovered the trove of data using the Shodan Internet of Things (IoT) search engine.

In a LinkedIn post, Bob Diachenko explains how he found the 2GB MongoDB database on August 13, which contained phone numbers, addresses, transaction details, phone book contacts, partial credit card numbers, and encrypted account passwords.

Other information included in-app chat and notification history, plus details of which users needed a babysitter at what time and at which address.

Shodan indexed the database a day before Diachenko noticed it, which suggests a short period of exposure – although it’s possible it was left in an unsecured state for longer.

The positive news: when told of the breach, Sitter reacted quickly, taking it offline. The alternative view is that if it hadn’t been noticed by chance, the data might still be up there and vulnerable to ransom or theft.

According to Sitter:

Sitter has already notified all of its users and partners of the temporary data breach you identified that resulted in the last week in the course of development of certain product enhancements. The security vulnerability was immediately re-secured. Sitter prides itself on trust, openness, and transparency with its users and is committed to maintaining a secure environment for its users.

Question, is shodan excluded from laws?
Statements like “Shodan indexed the database” means it read the data. And shared that data with anyone who would look. If a person did that they would be prosecuted. (accessing someone’s computer without authorization).

@Mahhn: If you publish/expose something on the internet either on purpose or accidentally it’s in the public domain so no law that is broken. It may be unethical to read/use it for personal gain but not illegal. There is one exception… If you open something that is marked as classified at any level and you know it is classified in most cases you have broken the law. It is also illegal if you break into a system either by using a vulnerability or stealing credentials.

Thanks for responding. Then I guess it becomes a thin line legally (on case per case) if it was a Vulnerability, Misconfiguration, or something in between.
I would have expected that if there is Pii ( phone #s, addresses, transaction details, contacts, partial cc numbers, and encrypted account passwords.) that it would be obvious it wasn’t intentionally made public. But if the laws state it must be labeled Classified, that will be a word soon to be found meta data of every DB.